A global retailer’s recent lawsuit is the first to challenge fines assessed by credit card companies under the Payment Card Industry Data Security Standards (“PCI DSS”). These standards, which were established in 2004 by the major credit card companies, contractually require merchants accepting credit and debit cards to protect cardholder data. The standards outline a number of information security goals and requirements, including maintaining a written information security policy, incident response plan, employee training, firewalls, encryption, and anti-virus software.

Over the past decade, merchants have been fined millions due to alleged PCI non-compliance. In March, Genesco Inc. filed a complaint in the U.S. District Court for the Middle District of Tennessee against Visa seeking to recover $13.3 million in non-compliance fines and assessments that Visa had imposed on two acquiring banks, Wells Fargo and Fifth Third Financial, which processed the payment card information. These banks had paid the fines and assessments, and then collected the total from Genesco pursuant to an indemnification agreement.

Genesco is a specialty retailer that sells footwear, headwear, and sports apparel in over 2,400 stores across the world under various store names, including Journeys, Johnston & Murphy, and Lids. The fines assessed stemmed from the December 2010 breach of Genesco’s payment processing network due to a criminal cyber attack.

Genesco claims in its complaint that Visa had no reasonable basis for concluding that it was non-compliant with the PCI standards, and that there was no actual theft of cardholder data for the accounts in question. Genesco’s complaint brings claims for breach of contract and violation of the California unfair business practices act, and related claims. The case is in its early stages. Visa recently moved to dismiss Genesco’s unfair business practices claim and unjust enrichment claim, and Genesco has yet to file a response.

In 2010, when credit card processor Elavon Inc. sued restaurant chain Cisero’s Inc., seeking $83,000 in PCI fines, Cisero’s counterclaimed, challenging the fines. However, Genesco v. Visa is the first direct lawsuit against a credit card company fighting back against what some have referred to as the payment card industry’s “powerful money-making system of punishing merchants and their banks for breaches, even without evidence that card data was stolen.”
Genesco v. Visa should be watched closely, as an outcome in favor of Genesco could undermine the credit card companies’ ability to assess PCI fines, with the potential to “shake [the] PCI compliance regime to its core.”